During the weekend, the entire
Newsland.ru which is among the most popular Russian news portals, was marked as as "this site may harm your computer" by StopBadware.org due to an IFRAME embedded link pointing to where else if not to
the RBN. Considering that each and every
embedded malware attack during 2007 that I assessed in previous posts, had something to do with the RBN in the form of a single RBN IP which was used in numerous malicious activities all at once, different sites get embedded with it, blackhat SEO postings at different forums etc. in this one the parties behind the attack dedicated a special IP with what looks like as a clean IP reputation. A
cached copy of the page will still load the live exploit url at
81.95.150.115/cgi-bin/in.cgi?p=user1 What really happened at Newsland.ru? Was it an end user who submitted a news story with the somehow embedded IFRAME to sort of conduct unethical competitive engagement by having Google mark the entire portal as harmful, or it was planned and executed on purposely?
In another such incident,
Podfeed.net was recently hacked and
malware embedded at its front page. The now clean site however, used to have an embedded link, over 20 times to be precise, pointing to the following URL :
yl18.net/0.js (125.65.77.25) with the .js having two IFRAMEs within, namely
yl18.net/0.html - 404 dead, and the second IFRAME
yl18.net/z.html which loads a third IFRAME within, pointing to
yzgames.cn/game.htm (125.46.105.140). This IFRAME-ing game relies entirely on
yl18.net/0.js to keep up and running, and a direct loading link to the script was also somehow embedded on high trafficked sites such as
cincinnatiusa.com;
cincinnati.com;
guidance.nice.org.uk. Moreover, Maarten Van Horenbeeck at the
ISC's blog has some detection rates while the malware was still active. This embedded malware campaign is a perfect example of an ongoing cover up, just like the case when several hours after the community started looking at the
Bank of India's malware serving site and the RBN URL removed the javascript and redirected it to Google.com, and we had the same situation with the recent discovery of 100 malwares on a single RBN IP, where the directory name has changed several hours later for yet another time. The same is the situation withe the malicious parties behind
Possibility Media's malware attack that once started getting visited by security vendors replaced all their main index page with a "get lost" message, as well as with
RBN's fake "account suspended" messages which aren't really in a process of cover up, but in a deception stage like always.
While I was researching a third domain that was serving a Banking trojan, and loading IFRAMEs to
sicil.info which in case you don't remember is the IFRAME behind the
Syrian Embassy hack, I came across to
injected blackhat SEO campaigns at two universities advertised in between the IFRAMEs, now removed, cached copies available -
emissary.wm.edu/EE/cache;
hsutx.edu/student_life/brand/wp-content/uploads. The reason I won't mention the domain in question is that the script kiddies behind it forgot to take care of their directory permissions just like the Russian Business Network did recently, and while in
RBN's case over 100 malwares were spotted, in this case it's a web C&C for a metaphisher type of banking malware kit, namely Zeus. It gets even more interesting, as it appears that a Turkish defacer like the ones
I blogged about yesterday is somehow connected with the group behind the recent Possibility Media's Attack, and the Syrian Embassy Hack as some of his IFRAMES are using the exact urls in the previous attacks. And you you already know while reading my previous assessments and the connections between them, one of the attack IP's in the Possibility Media's malware attack was also among the ones used in the Bank of India hack - it's the "ai siktir vee?" group with another unique IP.
Key points :- a Turkish defacer is taking advantage of an remotely installed web backdoor in order to host a metaphisher type of banking malware kit
- the defacer is embedding iframes that were used in the Bank of India hack, the Syrian Embassy hack, and the recent Possibility Media's malware attack
- if defacers start cooperating with malware groups given each of them excels at different practices, it's gonna get very ugly
If you don't take care of your site's web vulnerability management, someone else will.
Continue reading →
Yet another indication of the emerging trend of building a knowledge-driven cyber jihadist community, are such online archives with localized to Arabic standard security and hacking research papers, ones you definitely came across to before, or may have in fact written by yourself. As I've already discussed this trend in previous posts, it's a PSYOPS strategy in action, one that's aiming to improve the overall perception of cyber jihadists' ability to wage their battles without using software and web services of their enemies. Whether the investment in time and resources is worth it is another topic, what's worth pointing out are the efforts they put into localizing the content in between adding the standard propaganda layer, and later on, building a community around it.
Continue reading →
RSS Feed